Splunk Search

How to exclude computer account name from results

arkonner
Path Finder

I am running a very simple search to determine accounts locked out:

server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name="*"   | Table Account_Name  _time

In the results as Account_Name I would like to exclude the computer account name (Server01$.....) considering that the user account name is related to the computer account name.

0 Karma

woodcock
Esteemed Legend

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo (server01 OR server02 OR server03 OR server04) EventCode=4740 Security_ID="*" Account_Name!="*$"

lazer
Engager

I like Woodcocks reply, the component below was most valuable for eliminating computer account names

Account_Name!="*$"

 

0 Karma

Stevelim
Communicator

How about?

server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name!="*Server01$*"| stats values(Account_Name) as List | mvexpand List
0 Karma

tecooper
Explorer

@Stevelim I've been looking for this answer for 2 days now. You saved me!!! Thank you!

0 Karma

Stevelim
Communicator

Great to hear!

0 Karma

peauxdunk
Explorer

try this? a mix of rex and fields trickery

server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" | Table Account_Name _time | rex field=Account_Name "(?<user>\$\w+)" | fields - Account_Name

This output should give you a new field called User and Omit the Server##

0 Karma

javiergn
Super Champion

You can use the where command for that:

server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" 
| where NOT Account_Name=Computer_Name
| Table Account_Name _time

Or even an eval:

server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" 
| eval Same = if(match(Account_Name,Computer_Name),1,0)
| search Same = 0
| Table Account_Name _time

arkonner
Path Finder

running both search as result I obtained

Domain controller computer account
user name

domainctrl1$
j.doe

domainctrl2$
s.brown

domainctrl1$
j.smith

I am looking just for the list of the user name

j.doe
s.brown
j.smith

0 Karma

javiergn
Super Champion

Hi, I'm not sure what you mean but if you just need the list of usernames then simply pipe the last line in your query to fields or table followed by the field name you want to display, you can even remove duplicates with dedup. For instance:

your search here
| dedup UserName
| table UserName

If that's not what you are looking for then it might be easier if you paste your query here.

0 Karma

sicknss
New Member

Reviving this as I am seeking an answer to the same issue and have yet to be able to find it.

What arkonner was saying is that they don't want the computer accounts to show in the results. I am trying to do the same but simply ignoring values that end in "$" is sloppy and could potentially hide valid results.

This search highlights the issue, I do not want to display results where the user matches any Workstation_Name appended with "$". The only way to make this work that I can think of is to build an array of Workstation_Name values and elminate users that match any value in the array... but I'm relatively new to Splunk and don't know how to do that yet.

index=wineventlog sourcetype="wineventlog:security" src_ip= | stats count by Workstation_Name user

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...